SSL Configuration with Host On Demand

Connecting the Adapter to a Telnet/TN3270 Server
using SSL or TLS

Use the following steps to connect RACF resource adapters to a Telnet/TN3270
server using SSL/TLS.

Connecting RACF Adapters to Telnet/TN3270 Servers

Obtain the Telnet/TN3270 server’s certificate in the PKCS #12 file
format. Use hod as the password for this file. Consult
your server’s documentation on how to export the server’s certificate.
The procedure Generating a PKCS #12 File provides
some general guidelines.

Create a CustomizedCAs.class file from the
PKCS #12 file. If you are using a recent version of HOD, use the following
command to do this.

Place the CustomizedCAs.class file somewhere
in the Identity Manager server’s classpath, such as $WSHOME/WEB-INF/classes.

If a resource attribute named Session
Properties does not already exist for the resource, then use the [Please define the IDMIDE text entity] or
debug pages to add the attribute to the resource object. Add the following
definition in the <ResourceAttributes> section:

Go to the Resource Parameters page for the resource and add values
to the Session Properties resource attribute:

SESSION_SSL
true

Generating a PKCS #12 File

The following procedure provides a general description of generating
a PKCS #12 file when using the Host OnDemand (HOD) Redirector using SSL/TLS. Refer
to the HOD documentation for detailed information about performing this task.

Generating a PKCS #12 File: General Steps

Create a new HODServerKeyDb.kdb file using
the IBM
Certificate Management tool. As part of that file, create a new self-signed
certificate as the default private certificate.

If you get a message
that is similar to “error adding key to the certificate database”
when you are creating the HODServerKeyDb.kdb file, one
or more of the Trusted CA certificates may be expired. Check the IBM website
to obtain up-to-date certificates.

Export that private certificate as Base64 ASCII into a cert.arm file.

Create a new PKCS #12 file named CustomizedCAs.p12 with
the IBM Certificate Management tool by adding the exported certificate from
the cert.arm file to the Signer Certificates. Use hod as
the password for this file.

Troubleshooting

You can enable tracing of the HACL by adding the following to the Session
Properties resource attribute:

The trace parameters should be listed without any new line characters.
It is acceptable if the parameters wrap in the text box.

The Telnet/TN3270 server should have logs that may help as well.

SSL Configuration with WRQ

The Attachmate 3270 Mainframe Adapter for Sun Emulator Class Library
is compatible with the IBM Host on Demand API. Follow all installation instructions
provided with the product. Then, perform the following steps in Identity Manager.

Configuring with WRQ

If a resource attribute named Session
Properties does not already exist for the resource, then use the [Please define the IDMIDE text entity] or
debug pages to add the attribute to the resource object. Add the following
definition in the <ResourceAttributes> section:

Use of the Attachmate WRQ Libraries when SSH is in
Use by other Resource Adapters

Within Identity Manager, SSH is handled by use of the JCraft classes,
which are contained in jsch.jar. The Attachmate 3270 Mainframe
Adapter for Sun includes a copy of the JCraft classes in RWebSDK.jar (Identity Manager does
not actually use these classes for 3270 connection ). The two jars do not
contain the same version of the JCraft classes, however, which may cause conflicts,
depending on the order in which the jar files are loaded by the web container.

To avoid these conflicts, you should make a backup of RWebSDK.jar,
and edit the RWebSDK.jar with an appropriate tool (such
as WinZip), remove the com.jcraft classes, and save the
file. This will eliminate the unwanted version of the JCraft classes, and
SSH will function correctly.

RWebSDK.jar is not distributed with Identity Manager,
and is only available as part of Attachmate 3270 Mainframe Adapter for Sun.